pfSense 2.5.0 bugs and fixes after upgrade

Some users have reported problems after upgrade to pfSense 2.5.0.

Edit: pfSense 2.5.1 now available.

In this article we list, in a FAQ-style format, the main known issues and the available fixes.

Table of contents

Should I upgrade to v2.5.0?
pfSense 2.5.0 update is not available on the dashboard
How can I downgrade to 2.4.5-p1?
I can not rename Alias used in firewall rule
CBQ Traffic shaping doesn’t work as expected
Unbound crashes periodically
OpenVPN problems
IPsec problems
Non-local gateway problem
RA (Router Advertisements) IPv6 problems
Upgrade or installation problem on ZFS device
Zabbix Proxy Failed after upgrade
pfBlockerNG doesn’t work as expected
I have an issue with certificates after 2.5 upgrade
OpenBGPD, Quagga OSPF, relayd are no more available
I have problems with realtek NIC
Some problems with frr and bgp
I still have bugs, what can I do?
How to install a patch?

Should I upgrade to v2.5.0?

Yes, you can.
The vast majority of users does not encounter any problems.
Most of the bugs have been fixed.

By the way pfSense 2.5.1 is now available.

Take a look at our article: [pfSense] Upgrading pfSense (how-to).

pfSense 2.5.0 update is not available on the dashboard

First, try to force a cache refresh in your browser (ctrl-F5, shift+reload or similar).
Second, check that no script is blocked by the browser or an extension.
Third, try to enable the “State Table Size” option on dashboard :

Click on the modify button of the System Information widget:

System Information widget
[pfSense] System Information widget

Scroll-down and check the “State Table Size” box then Save:

State Table Size option
[pfSense] State Table Size option

How can I downgrade to 2.4.5-p1?

There is no more official link for downloading pfSense-2.4.5-p1.

You can find older versions of pfSense by following these links https://repo.ialab.dsu.edu/pfsense/
or
https://forum.netgate.com/topic/161085/download-location-for-2-4-5-release-p1-amd64

I can not rename Alias used in firewall rule

If you try to rename an alias that is used in firewall rules you get an error that sounds like this: “Unresolvable source alias ‘AliasName’ for rule ‘Rule with AliasName‘”.

There is a fix in place for that :

585e7567d0e308ce440ff1b0651976c97fe58115

If necessary, take a look at the section How to install a patch?

More information: https://forum.netgate.com/topic/161094/solved-renaming-alias-used-in-firewall-rule.

CBQ Traffic shaping doesn’t work as expected

Some users have reported a panic when using CBQ traffic shaping. It appears when CBQ is used on VLAN interfaces.

There is no solution for now. Try to deactivate CBQ or use an other algorithm like PRIQ or HFSC.

More information: https://redmine.pfsense.org/issues/11470

Unbound crashes periodically

Go to Diagnostics > Command Prompt:

menu Diagnostics > Command Prompt
[pfSense] Diagnostics > Command Prompt

The command to execute is the following:

pkg upgrade -fy unbound

Be sure to restart the Unbound service from Status > Services after.

Or directly in command line:

pkg upgrade -fy unbound; pfSsh.php playback svc restart unbound

Anyway, make sure to restart unbound after this package installation.

OpenVPN problems

Double check your cryptographic parameters on client and server.
Try to uncheck the “Data Encryption Negotiation” setting in the openvpn client setup.

Double check your OpenVPN configuration too.
For example some users discovered that the IPv4 tunnel network on the client side was blank and was somehow previously working with it blank and with a certificate that didn’t exist on the server.

IPsec problems

There are a lot of bugs reported about IPsec. The majority has been fixed.

To ensure you have all of the current known and fixed IPsec issues corrected, you can install 6 patches:

  • ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435
  • 57beb9ad8ca11703778fc483c7cba0f6770657ac #11435
  • 10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442
  • ded7970ba57a99767e08243103e55d8a58edfc35 #11486
  • afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487
  • 2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488

It is necessary to restart the firewall after installing the patches.

If necessary, take a look at the section How to install a patch?

More information: https://forum.netgate.com/topic/161142/ipsec-upgrade-to-2-5/4?_=1614102852026.

Non-local gateway problem

If you use a non-local gateway (i.e. a gateway that is not in your WAN subnet), this gateway will not be added on boot. You have to add it manually.

This bug is now resolved. If you encounter the problem you can add this patch:

a97987a5d1df8219f40433270fce0e3ef49345dc

If necessary, take a look at the section How to install a patch?

More information: https://redmine.pfsense.org/issues/11433.

RA (Router Advertisements) IPv6 problems

This bug is resolved. If you encounter the problem you can add this patch:

91cd17417d7cba3ab5dbe55f0ced02eaef78c45b

If necessary, take a look at the section How to install a patch?

More information: https://redmine.pfsense.org/issues/11367.

Upgrade or installation problem on ZFS device

The problem is the installer “forgets” to add zfs_load=”YES” to /boot/loader.conf.

Go to Diagnostics > Command Prompt (or directly in command line):

menu Diagnostics > Command Prompt
[pfSense] Diagnostic > Command Prompt

Execute the following command:

echo 'zfs_load="YES"' >> /boot/loader.conf.local

More information: https://redmine.pfsense.org/issues/11483

Zabbix Proxy Failed after upgrade

Due to database changes between zabbix-proxy versions. The proxy database needs to be removed after upgrading otherwise the proxy service won’t start.

Workaround: remove the database, then reinstall Zabbix Proxy.

Go to Diagnostics > Command Prompt (or directly in command line):

menu Diagnostics > Command Prompt
[pfSense] Diagnostic > Command Prompt

Execute the following command:

rm /var/db/zabbix-proxy/proxy.db

Then reinstall Zabbix Proxy.

More information: https://redmine.pfsense.org/issues/11493

pfBlockerNG doesn’t work as expected

This problem is easy to resolv with a Forced/Reload in the Update tab in pfBlockerNG.

I have an issue with certificates after 2.5 upgrade

An invalid certificate date can lead to a PHP crash after 2.5.0 upgrade.
This bug is resolved. If you encounter the problem you can add this patch:

cb17faca3b07197db4b1eb1502a876873ddc222c

If necessary, take a look at the section How to install a patch?

More information: https://redmine.pfsense.org/issues/11489.

OpenBGPD, Quagga OSPF, relayd are no more available

It’s not a bug. It’s a feature. These packages have been removed.

I have problems with realtek NIC

There is a package available for installing realtek drivers for those that have been suffering with that hardware.
Seems easy enough, and more importantly seems more stable than previous – also haven’t dropped gateway, no dpinger issues, and no unbound issues since testing the realtek driver.

Go to Diagnostics > Command Prompt (or directly in command line):

menu Diagnostics > Command Prompt
[pfSense] Diagnostic > Command Prompt

Execute the following commands:

pkg install realtek-re-kmod
echo 'if_re_load="YES"' >> /boot/loader.conf.local

Then reboot your firewall.

Finally, execute this command:

dmesg | grep re0

It should say something about Realtek … and leave out the alphabet soup that the previous driver said and show a version: 1.96.04 or something like that.
Default driver doesn’t state a version line.

Some problems with frr and bgp

Currently the GUI renders a invalid frr config when bgp as-path ACLs are in use.
This ACLs will be written under the “router bgp ” section what causes FRR and bgpd daemon failing to start.
Switching to raw config mode and putting all bgp as-path access-list outsite the router bgp section is the only way to work this around.
Prefix-lists and route-maps are not affected by this and will be written correctly to the config.

Another difference is that bgpd starting with version 7.5 does default filtering for route announcements .
Without a outbound route-map in the neighbor statement, no routes will be announced at all.
An empty “route-map permit ” does the the job.

The next difference compared to pfSense 2.4.5-p1 is, that now IGP route synchronization is in effect.
You could not disable it by using “no synchronization” in the bgpd config.
So when you configure prefixes by the network statement, that are not in the routing table, it’s necessary to configure a static route to Null for that networks on the device.
This is pretty common on many network devices, but not was not necessary in pfSense 2.4.5-p1.

I still have bugs, what can I do?

The best thing to do is to make a backup then reinstall from scratch pfSense 2.5.0 and import your configuration.

If it doesn’t work take a look at the Documentation, at the pfSense forum or open a ticket on the pfSense bugtracker.

How to install a patch?

First you should install the “System Patches” package.

Navigate to System > Package Manager:

menu System > Package Manager
[pfSense] System > Package Manager

Go on the Available Packages tab, then search for “System Patches” and install it:

System Patches
[pfSense] Installing “System Patches” package

Go to System > Patches:

Read the text and warnings, then click on the “+” button to add a new patch.

The fields to be filled are like following:

  • Description: whatever you want.
  • Commit ID: corresponding commit ID
  • Save

Once a commit ID was entered, there will be a fetch link. Click fetch and the patch will be retrieved only.

To apply the patch, simply click Apply and it will apply the patch. The available link for the patch will then change to say Revert instead. To revert, click Revert.

More information: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

Related topics

pfSense 2.5.1 now available

[pfSense] Upgrading pfSense (how-to)

All pfSense tutorials

Take a look at our firewalls
For pfSense or OPNsense
3 year warranty

provya.com